topic Re: When setting up HA from a stand-alone...how should I configure LAN ports on the switch? What state are links on the passive node? in General Topics

When setting up HA from a stand-alone...how should I configure LAN ports on the switch? What state are links on the passive node?

inSync-MarkValpreda — Mon, 24 Feb 2025 21:35:48 GMT

I have a standalone PA-440 that I am in the process of moving to HA. I have all the wiring done with ISP1 and ISP2 broken out and going to the same ports on each of the 440s. That part all seems fine. I have all the licenses in place and I have green dots and sync across everything in the HA widget on the dashboard.

I only have a single switch at this location and the current PA-440 is plugged into port 48 on my Ruckus switch. I plugged in the passive into port 47 (same config, VLANs, etc) and the port went down and with err-diabled BPDUGUARD. Is that expected? I want to cycle the port to bring it out of error state, but don't want to bork anything as it is a remote facility. Wondering if I need to set up LACP/LAG on the switch for ports 47 and 48 since they will have the same MAC address.

I have verified that with 'show interface all' on both PA-440s that the MAC addresses are the same on all interfaces. On the passive, will the ports I am using (apart from HA) be 'configured but down'? Is that expected as well? I have the passive link state set to shutdown, so I am guessing so. Any benefit or issue with changing that to auto? Want to keep the failover timing on this as low as possible.

Re: When setting up HA from a stand-alone...how should I configure LAN ports on the switch? What state are links on the passive node?

TomYoung — Tue, 25 Feb 2025 18:34:44 GMT

Hi @inSync-MarkValpreda ,

No, it is not expected that the port go error-disable with BPDUGuard. The NGFW does not initiate BPDUs, but it can forward them for L2/VWire interfaces. My guess is that the passive may still have had the default VWire configuration on it when the ports were initially plugged in. The ports connected to the passive NGFW should be configured exactly the same as the corresponding ports connected to the active NGFW. As long as HA is up and the configuration is synced and the NGFW is in passive state, it is safe to bring up the ports to the passive NGFW.

You do not want to setup LACP on ports connected to 2 different NGFWs. With the same config on the ports connected to active and passive, the MAC address should only show on the port connected to the active NGFW. If you want to configure LACP with multiple ports to each NGFW, configure 1 group to 1 NGFW, and a 2nd group to the 2nd NGFW. If you want LACP to be pre-negotiated on the passive NGFW, check the "Enable in HA Passive State" box under the AE interface. This will require that the passive link state be set to auto also.

As you asked, changing the passive link state be set to auto will speed the failover a little bit. The ports will be up on the passive. You should see no traffic or MAC addresses on the passive ports.

Thanks,

Tom

Re: When setting up HA from a stand-alone...how should I configure LAN ports on the switch? What state are links on the passive node?

inSync-MarkValpreda — Tue, 25 Feb 2025 21:59:56 GMT

Good call on when the HA device was plugged in. I think it might have been in the initial state where the interfaces are in virtual wire. I will cycle that port.

No LACP on the ports connected to the different NGFWs....got it! I do have another one that I am going to do where there is an AE interface plugged into two different switches in a stack. I think I have those set for passive on the switch already.

Is there anything that I should do on the switch to keep the failover time as low as possible?

Re: When setting up HA from a stand-alone...how should I configure LAN ports on the switch? What state are links on the passive node?

TomYoung — Wed, 26 Feb 2025 22:35:20 GMT

This is a good doc on HA best practices. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5ZCAS

With regard to HA Timer Settings, most people use Recommended, but you want faster failover choose Aggressive.

I would definitely configure Link Monitoring. I would only configure Path Monitoring if you have redundant switches toward the ISP.

EDIT: No, there is nothing else you would do on the switch.

Re: When setting up HA from a stand-alone...how should I configure LAN ports on the switch? What state are links on the passive node?

inSync-MarkValpreda — Wed, 26 Feb 2025 22:38:52 GMT

Thanks for the info on the switch.

I inherited this PA set up, so not sure where the 'link monitoring' is, or if it is set up. I just know PBF is set up for the ISP failover.

No redundant switches to the ISP in this location.

Re: When setting up HA from a stand-alone...how should I configure LAN ports on the switch? What state are links on the passive node?

TomYoung — Wed, 26 Feb 2025 22:58:07 GMT

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/device/device-high-availability/ha-link-and-path-monitoring